OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes (followup)

Vikash Badal - PCS VikashB at ComparexAfrica.co.za
Thu Jul 10 21:09:11 EST 2003


Greetings,

Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to passwordless
account without a valid key when sshd_config has PasswordAuthentication no 
+ PermitEmptyPasswords yes

Attempts:
Installed maintence pack3 and recompiled both OpenSSH and OpenSSL (0.9.7b)
with native c compiler.

Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2).

Still the same problem.

Looking at auth2.c line 185-190:
 authenticated = m->userauth(authctxt);
 sets authenticate to 1 when PermitEmptyPasswords ==> yes

I found only one reference to userauth()
in sshconnect2.c (line 279)

I do not understand the code m->userauth(authctxt);

Please assist.

Vikash



More information about the openssh-unix-dev mailing list